fix(#5452): add optional ssrf check mechanism#5464
Conversation
0e995c5 to
24010f7
Compare
…and custom InetAddressFilter
- Reject URISyntaxException in SsrfUrlValidator instead of silently accepting; a malformed URL is a potential bypass vector - Use @ConditionalOnMissingBean(name=) on ssrfInetAddressFilter to prevent collision with any user-defined InetAddressFilter bean - Add clarifying comment in InstanceWebProxy explaining why relative URIs are skipped (path-only, no host to validate) - Remove unused InetAddressFilter imports from InstanceWebProxy and reactive InstancesProxyController - Fix space-indentation and blank-line formatting in servlet InstancesProxyController (checkstyle / spring-javaformat) - Expand allowed-cidrs examples in docs to show single host, subnet, whole RFC 1918 classes, and IPv6 as separate copy-paste snippets - Add test: rejects_malformedUrl covers the URISyntaxException path
- Reject URLs where URI.getHost() is null but URI.getAuthority() is non-null: this covers octal (0251.0376.0251.0376) and Unicode digit hosts that java.net.URI cannot parse into a standard hostname. Without this guard, octal-encoded private IPs pass validation entirely. - Use authority != null instead of StringUtils.hasText() — getAuthority() is never an empty string, so the plain null-check is exact and clearer. - Add BypassAttempts test class covering: decimal-encoded IPs (resolved correctly by InetAddress), octal and Unicode (caught by the new guard), and uppercase scheme normalisation (SBA's own toLowerCase logic). Tests that only exercise JDK URI parsing or Spring Boot's InetAddressFilter internals were not added — those are tested by their respective owners.
1b68118 to
d15448b
Compare
| uri = new URI(url); | ||
| } | ||
| catch (URISyntaxException ex) { | ||
| throw new SsrfProtectionException( |
There was a problem hiding this comment.
Here, and as a general thing, I would not throw away ex but I would pass it down as cause parameter (to be added) in SsrfProtectionException so that consumers of SBA have, if needed, the full stacktrace available for analysis purposes.
|
|
||
| @Bean | ||
| @ConditionalOnMissingBean | ||
| @ConditionalOnMissingBean(name = "ssrfInetAddressFilter") |
There was a problem hiding this comment.
Can you please define this name in a publicly exposed constant?
In this way, if there is the need to redefine this bean for whatever reason, the constant can be referenced instead of having to know the exact name.
This would provide also more safety across SBA releases in the case the name gets changed since the constant would reflect that automatically without breaking the redefinition said above.
Please be aware that this will then backoff if another bean with the same name is defined without taking into account its type.
| // ForwardRequest.uri is a relative path built by the proxy controllers (no | ||
| // host). The actual host is supplied by InstanceWebClient when it resolves | ||
| // the instance's management URL. Absolute URIs (if ever present) are | ||
| // validated; relative ones have no host to check. |
There was a problem hiding this comment.
Shouldn't be a responsibility of the validator to decide this?
I would just pass the URI in there and let the validator do something like if(!uri.isAbsolute()) return;.
This pull request introduces opt-in protection against Server-Side Request Forgery (SSRF) attacks in Spring Boot Admin Server, focusing on validating and restricting instance registration URLs and proxy targets. It adds configuration options for enabling SSRF protection, customizing allowed IP ranges and schemes, and provides extension points for advanced use cases. Documentation is updated to explain the risks, configuration, and best practices.
SSRF Protection Feature:
healthUrl,managementUrl, andserviceUrlduring instance registration and proxying, blocking requests to private/internal addresses and non-HTTP(S) schemes. This is disabled by default and can be enabled via configuration. [1] [2]AdminServerProperties(ssrf-protection.enabled,allowed-cidrs,allowed-schemes) and supporting beans (InetAddressFilter,SsrfUrlValidator) for flexible address and scheme allowlisting. [1] [2] [3]InstanceRegistryand both servlet and reactiveInstancesProxyControllerto enforce SSRF validation at registration and proxy time. [1] [2] [3]Documentation Updates:
40-ssrf-protection.md) covering risks, configuration, extension, and integration with other security features.General/Other:
These changes significantly improve the security posture of Spring Boot Admin Server by providing robust, configurable defenses against SSRF attacks.
closes #5452